They authors acknowledged on the list that they didn’t think of the attack, and have appropriately scaled the parameters.
Cryptography is hard - there have been numerous NTRU optimizations that withstood years of analysis before someone worked how to break them. Not everything is an NSA conspiracy. The dual-EC bullshit was even confusing to other cryptographers at the time, but at that time good faith was still being assumed.
The attack the NSA used on the standardization process can’t be repeated in anyway now, because no protocols are accepted that don’t demonstrate how the various constants are determined. Of course there’s also much less trust in US gov, and more importantly us gov adjacent cryptographers.
At the time some cryptographers said it looked like a backdoor and they were largely dismissed by the public until Snowden related evidence came to light. Further reporting exposed the $10m bribe to RSA. To wax poetic: It was not a note in isolation but a note in a much larger song.
It is important to remember that NSA is continuing to do this kind of thing and they try from every angle. It is literally their job. Consider that the Dragonfly issues at the IETF are after Dual EC.
There are backdoored systems which are deployed and have not yet been revealed.
We must be on the lookout for them, and we must consider that NSA supposedly employs the most mathematicians in the world.
Ward’s work is amazing. Wouldn’t it be amazing if NSA actually tried to help? Do we suppose NSA didn’t also have a break on it? If not, we should really hope Ward keeps working in public. If NSA actually wanted to help and did help by breaking the remaining systems, it might win some points in public and especially if they advance the state of the art in cryptanalysis.
They were largely dismissed by "the public" --- and dismissive themselves --- because nobody believed anybody would actually use an expensive, janky PKRNG when far simpler, more performant CSPRNGs were already universally available in operating systems and standard C libraries. The revelation in the BULLRUN leaks wasn't that Dual EC was suspicious --- it had always been suspicious --- but rather that companies were actually using it, because NSA suborned RSA Security into making BSAFE use it.
(Prior to BULLRUN, I'd have been equally dismissive of the idea that people were still using BSAFE, either, but, no, as it turns out, the industry is a whole lot dumber than any of us expected it is).
NSA does actually try to help; it's ostensibly half of their mission (nobody seriously believes the IAD mission gets anything close to 50% of the resources).
This comment is great and gets to the heart of the dispute. Thanks for making it.
I have spoken with one of the authors who found it and he did not dismiss it, so I don’t know why you frame it as it they did? Maybe this would be a useful citation?
I do not believe that this was the only surprise in BULLRUN. I was horrified (as an American) that NSA weakened cryptography to their advantage even including against American businesses. This is still going on today and it isn’t just BSAFE. The NSA also “enables” other products including hardware to their advantage.
I agree that IAD has an important positive goal for work, I’m not really in a position to know if they are trying to help but the goal seems solid. I agree that they do not get anything close to 50% of the funding and I think this should be solved by breaking them out from NSA entirely. They should probably be made into a transparent group which never ever gives NSA an advantage as the first time did so much damage that we are still discussing it today.
And it doesn't even matter. It's almost a distraction to even think about conspiracy theories or worrying about sounding like a conspiracy kook.
By now it doesn't matter if there is a conspiracy or not.
The totally boring unimaginative hard nosed practical conclusion is you do not accept cryptographic advice from this source. (NIST, or the US government at large, or any other government either, or really even any large corporation.)
